Alan Paller The SANS Institute apaller@sans.org Cyber Espionage “The Internet is God’s gift to spies” Plus: The New Security Heroes Alan Paller The SANS Institute apaller@sans.org
Topics for today
The Public Is Awakening editorial on Jan 26 Why the 'China virus' hack at US energy companies is worrisome by John Yemma, Editor “The stakes in the global cyber- war are at least as high as those in the global war on terror.”
Four years building to public outrage August 29, 2005: Titan Rain August 17, 2006: Gen. Lord Confirms
Titan Rain “They hit hundreds of computers that night and morning alone “At 10:23 p.m. PST, they found vulnerabilities at the U.S. Army Information Systems Engineering Command at Fort Huachuca, Arizona. “At 1:19 am PST, they found the same hole in computers at the military's Defense Information Systems Agency in Arlington, Virginia. “At 3:25 am, the Naval Ocean Systems Center, a defense department installation in San Diego, CA. “At 4:46 am PST, the United States Army Space and Strategic Defense installation in Huntsville, AL.”
What kind of data did they take? “a huge collection of files had been stolen from Redstone Arsenal, home to the Army Aviation and Missile Command. The attackers had grabbed specs for the aviation-mission- planning system for Army helicopters, as well as Falconview 3.2, the flight- planning software used by the Army and Air Force.”
Major General William Lord “China has downloaded 10 to 20 terabytes of data from the NIPRNet” “They’re looking for your identity so they can get into the network as you,” “There is a nation-state threat by the Chinese.” Maj. Gen. William Lord, director of information, services and integration in the Air Force’s Office of Warfighting Integration and Chief Information Officer August 21, 2006 Government Computer News “Red Storm Rising” October 6, 2006: Commerce BIS Division The federal government's Commerce Department admitted Friday that heavy attacks on its computers by hackers working through Chinese servers have forced the bureau responsible for granting export licenses to lock down Internet access for more than a month.
Four years building to public outrage Dec 1, 2007: 300 British Companies Apr 8, 2009: The Grid
Four years building to public outrage January 15, 2010 Google & more January 25, 2010: Oil Companies
Setting the stage Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology April 17, 2007 Chairman: Jim Langevin (RI) "We don't know who's inside our networks. We don't know what information has been stolen. We need to get serious about this threat to our national security." State Dept witness: Don Reid, Senior Coordinator for Security Infrastructure Commerce Dept witness: Dave Jarrell, Manager, Critical Infrastructure Protection Program
Two responses Commerce State No idea when it got it in, how it got in, or where it spread Took 8 days to filter (ineffective) Unable to clean the systems; forced to replace them Do not know whether they have found or gotten rid of the infections State Detected it immediately Put effective filter in place within 24 hours; shared filter with other agencies Found two zero-days Helped Microsoft and AV companies create patches and signatures Cleaned infected systems, confident all had been found
What was the difference? Was it tools? No Almost same commercial tools – Commerce had more commercial IPS/IDS Was it skills? Yes Commerce – only experience was firewall operations not even firewall engineering. No training other than prep for Security + and later for CISSP State – experience and training in forensics, vulnerabilities and exploits, deep packet inspection, log analysis, script development, secure coding, reverse engineering. Plus counter intelligence. And managers with strong technical security skills.
How critical is the shortage of technical security skills? Jim Gosler (first director of CIA’s CITO – Clandestine Information Technology Office) in a meeting in the Pentagon (10/08) with Bill Studeman, Lin Wells, Bob Lentz, Melissa Hathaway and several others: “The US has nomore than 1,000 people with the advanced security skills to compete in cyberspace at world class levels – we need 20-30,000!” No one disagreed Other evidence of the shortage: “fratricide” among the integrators serving the Intelligence Community
Why these skills matter Wicked Rose Key weapons in the next war will be people with advanced, technical cyber security skills
Emerging Consensus in Military Cyber Skills Development Offense and defense need the same deep technical skills but may diverge in late stages of development Training should be phased with significant on the job experience between training elements Team composition is equally important: different people will be better at some tasks than others; Model is special forces teams
The New Security Heroes Alan Paller apaller@sans.org
Bringing about broad based change when no one works for you The problem: CISOs are accountable for IT security BUT . directly supervise only a small part of the systems actually in use.
What makes a security hero? Radically improves security in ways that can be measured reliably, and replicated Ensures operational people are not asked to do the impossible. Ends the security wars with IT operations and with the audit staff. Teaches others organizations how to do the same thing or provides the catalyst to allow others to do even more
Results in 12 Months
Proof: Federal Aurora Response Google Hack IE Vulnerability – zero day IAVA and government notices What percent of systems were reported patched at DoD in four months? What percent were actually patched at State in the first 9 days?
Quantify Special Threats Google - Aurora Attack MS10-012 Patch Feb- March 2010
He never visited any of the 200+ foreign sites So how did he do it? Continuous monitoring and high level data reporting Also known as: Continuous C&A and Continuous FISMA Compliance
What allows continuous monitoring to work? It combines: Reliability and fairness in the metrics Authoritative consensus on what is important enough to need to be measured But where did the consensus come from? And what else makes metrics effective?
Authoritative and Important How can you prove you meet those criteria? The big idea: “Offense informs defense!”
Who understands offense? NSA Red Teams Top Commercial Forensics Teams NSA Blue Teams DoD Cyber Crime Center (DC3) JTF-GNO AFOSI US-CERT (plus 3 agencies that were hit hard) Army Research Laboratory DoE National Laboratories Top Commercial Pen Testers State Dept. Would they be willing to combine their knowledge of attacks and offense to define the most important defensive investments CIOs must make?
Result: Twenty Critical Controls Consensus Audit Guidelines (CAG) The twenty key controls 15 subject to automation: examples Vulnerabilities Inventory Wireless Configuration 5 that are important but cannot be easily automated
Anti-malware defenses Data leakage protection 15 critical controls can be automated Return CAG ID Consensus Audit Guidelines NIST-800-53 CIRT Events 11 mo 1 Inventory of authorized and unauthorized hardware CM‐1, CM‐2, CM‐3, CM‐4, CM‐5, CM‐8, CM‐9 Multiple Tools < 6% < 22% 2 Inventory of authorized and unauthorized software CM‐1, CM‐2, CM‐3, CM‐5, CM‐7, CM‐8, CM‐9, SA‐7 3 Secure configurations for HW and SW, if available CM‐6, CM‐7, CP‐10, IA‐5, SC‐7 Nominal 4 Secure configurations for network devices such as firewalls and routers AC‐4, CM‐6, CM‐7, CP‐10, IA‐5, RA‐5, SC‐7 5 Boundary Defense AC‐17, RA‐5, SC‐7, SI‐4 < 7% 6 Maintenance/Analysis of complete security audit logs AU‐1, AU‐2, AU‐3, AU‐4, AU‐6, AU‐7, AU‐9, AU‐11, AU‐12, CM‐3, CM‐5, CM‐6, SI‐4 7 Application software security AC‐4, CM‐4, CM‐7, RA‐5, SA‐3, SA‐4, SA‐8, SA‐11, SI‐3 Decentralized 8 Controlled use of Administrative Privileges AC‐6, AC‐17, AT‐2, AU‐2 9 Controlled access based on need to know AC‐1, AC‐2, AC‐3, AC‐6, AC‐13 < 1% 10 Continuous vulnerability testing and remediation CA‐2, CA‐6, CA‐7, RA‐5, SI‐2 11 Dormant account monitoring and control AC‐2, PS‐4, PS‐5 12 Anti-malware defenses AC‐3, AC‐4, AC‐6, AC‐17, AC‐19, AC‐20, AT‐2, AT‐3, CM‐5, MA‐3, MA‐4, MA‐5, MP‐2, MP‐4, PE‐3, PE‐4, PL‐4, PS‐6, RA‐5, SA‐7, SA‐12, SA‐13, SC‐3, SC‐7, SC‐11, SC‐20, SC‐21, SC‐22, SC‐23, SC‐25, SC‐26, SC‐27, SC‐29, SC‐30, SC‐31, SI‐3, SI‐8 < 60% 13 Limitation and control of ports, protocols and services AC‐4, CM‐6, CM‐7, SC‐7 Not yet graded 14 Wireless device control AC‐17 15 Data leakage protection AC‐2, AC‐4, PL‐4, SC‐7, SC‐31, SI‐4 Pending
John Gilligan’s answer: But: “We don’t have a lot of money; how can we get started doing what State did ?” John Gilligan’s answer: You already have most (70%) of the tools you need to automate security risk measurement. The State Dept. will give you the software they use to measure and display risk. This isn’t a money issue or a technology issue. It’s a leadership issue. You don’t have to wait for someone to tell you to do it. There is no other path available to CIOs and security managers to escape from the “compliance morass” and make a measureable difference in security.
A relevant story.. Dog chases truck Truck stops Dog thinks: “Now what do I do?”
Now What Do We Do? We measure risk continuously and radically reduce the vulnerabilities (following the State Dept. model) We build a cadre of skilled security architects We buy products/systems with security baked in We increase the rewards for security people with key technical skills (licensing) We train system administrators to become the human sensor network We support colleges only if they teach programmers how to code securely We find and nurture young (and not-so-young) people with extraordinary technical skills to become the cyber guardians/warriors for the future
How Automated Continuous Monitoring Works
Results in 12 Months
Anti-malware defenses Data leakage protection State Used the “20 Critical Controls” CAG ID Consensus Audit Guidelines NIST-800-53 CIRT Events 11 mo 1 Inventory of authorized and unauthorized hardware CM‐1, CM‐2, CM‐3, CM‐4, CM‐5, CM‐8, CM‐9 Multiple Tools < 6% < 22% 2 Inventory of authorized and unauthorized software CM‐1, CM‐2, CM‐3, CM‐5, CM‐7, CM‐8, CM‐9, SA‐7 3 Secure configurations for HW and SW, if available CM‐6, CM‐7, CP‐10, IA‐5, SC‐7 Nominal 4 Secure configurations for network devices such as firewalls and routers AC‐4, CM‐6, CM‐7, CP‐10, IA‐5, RA‐5, SC‐7 5 Boundary Defense AC‐17, RA‐5, SC‐7, SI‐4 < 7% 6 Maintenance/Analysis of complete security audit logs AU‐1, AU‐2, AU‐3, AU‐4, AU‐6, AU‐7, AU‐9, AU‐11, AU‐12, CM‐3, CM‐5, CM‐6, SI‐4 7 Application software security AC‐4, CM‐4, CM‐7, RA‐5, SA‐3, SA‐4, SA‐8, SA‐11, SI‐3 Decentralized 8 Controlled use of Administrative Privileges AC‐6, AC‐17, AT‐2, AU‐2 9 Controlled access based on need to know AC‐1, AC‐2, AC‐3, AC‐6, AC‐13 < 1% 10 Continuous vulnerability testing and remediation CA‐2, CA‐6, CA‐7, RA‐5, SI‐2 11 Dormant account monitoring and control AC‐2, PS‐4, PS‐5 12 Anti-malware defenses AC‐3, AC‐4, AC‐6, AC‐17, AC‐19, AC‐20, AT‐2, AT‐3, CM‐5, MA‐3, MA‐4, MA‐5, MP‐2, MP‐4, PE‐3, PE‐4, PL‐4, PS‐6, RA‐5, SA‐7, SA‐12, SA‐13, SC‐3, SC‐7, SC‐11, SC‐20, SC‐21, SC‐22, SC‐23, SC‐25, SC‐26, SC‐27, SC‐29, SC‐30, SC‐31, SI‐3, SI‐8 < 60% 13 Limitation and control of ports, protocols and services AC‐4, CM‐6, CM‐7, SC‐7 Not yet graded 14 Wireless device control AC‐17 15 Data leakage protection AC‐2, AC‐4, PL‐4, SC‐7, SC‐31, SI‐4 Pending
Portrait of a security hero!